jonas/nixos
1
0
Fork 0
mirror of https://github.com/Ascyii/nixos.git synced 2026-01-01 06:44:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit unclean

Browse Source
This commit is contained in:
Jonas Hahn
2025-08-30 20:31:10 +02:00
commit 4ebc8b23fe
50 changed files with 5191 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.sops.yaml Normal file
View File

@@ -0,0 +1,10 @@
# .sops.yaml
# Just the defaults
keys:
- &primary age1a2kpues0gayampkn9pn2czhk24r0yl4jnw84qg4gh5l72dflx95qkmyqzv
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *primary

1128
flake.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

145
flake.nix Normal file
View File

@@ -0,0 +1,145 @@
# This is the main flake containing all the nix related stuff
{
description = "Main system configuration management - Jonas Hahn";
inputs = {
# The main nix inputs
nixpkgs.url = "nixpkgs/nixos-25.05";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
nur = {
url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix.url = "github:Mic92/sops-nix";
# optional, not necessary for the module
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
# Other utility stuff may be moved to a seperate flake in the future
# Love this system of just rolling to a certain commit!
xremap-flake.url = "github:xremap/nix-flake?rev=8001f37b1ffe86e76b62f36afadee2f4acf90e70";
home-manager = {
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs";
};
stylix.url = "github:danth/stylix/release-25.05";
#TODO: Add the mailserver to here
# Testing
#nix-snapd.url = "github:nix-community/nix-snapd";
#nix-snapd.inputs.nixpkgs.follows = "nixpkgs";
#hyprland.url = "github:hyprwm/Hyprland";
# hyprland-plugins = {,
# url = "github:hyprwm/hyprland-plugins";
# #inputs.hyprland.follows = "hyprland";
# };
};
outputs = { self, nixpkgs, sops-nix, nixpkgs-unstable, nur, home-manager, stylix, ... }@inputs:
let
system = "x86_64-linux";
# Unserstand this overlay method or do another one
overlay-unstable = final: prev: {
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
};
overlay-nur = final: prev: {
nur = nur.legacyPackages.${prev.system};
};
helperModules = [
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable overlay-nur ]; })
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
# messed up firefox
#home-manager.backupFileExtension = "backup";
home-manager.extraSpecialArgs = { inherit inputs; };
home-manager.users.jonas = import ./nixos/users/jonas/home.nix;
home-manager.users.root = import ./nixos/users/root/home.nix;
}
];
in
{
# New thinkpad | main workstation
nixosConfigurations."thinix" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
# Use overlay magic with pkgs.unstable.<name>
./nixos/hosts/thinkpadt470s/configuration.nix
#nix-snapd.nixosModules.default
#{
# services.snap.enable = true;
#}
] ++ helperModules;
};
# Acer laptop | second workstation
nixosConfigurations."nixyos" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
./nixos/hosts/asus-vivo/configuration.nix
] ++ helperModules;
};
nixosConfigurations."minoxy" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
./nixos/hosts/minoxy/configuration.nix
] ++ helperModules;
};
# Cloudserver minimal without all the (bloat) stuff
nixosConfigurations."stranox" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable overlay-nur ]; })
./nixos/hosts/stranox/configuration.nix
];
};
# Other system configurations
nixosConfigurations = {
# Testing server old computer
"misox" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
./nixos/hosts/misox_msi/configuration.nix
] ++ helperModules;
};
# Old Asus laptop
"asuox" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
./nixos/hosts/acer-katze/configuration.nix
] ++ helperModules;
};
"gullfoss" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
./nixos/hosts/gullfoss/configuration.nix
] ++ helperModules;
};
"fruitypi" = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs; };
modules = [
./nixos/hosts/rpi3/configuration.nix
];
};
};
};
}

29
hosts/asuox-acer/configuration.nix Normal file
View File

@@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
let
var22 = "22";
in
{
nixpkgs.config.allowUnfree = true;
imports = [
./hardware-configuration.nix
# Installing needed modules
../../modules/tweaks.nix
../../users.nix
../../modules/workstation.nix
# Disabling the powersaving to save the wifi?
# ../../modules/laptop.nix
../../common.nix
];
networking.hostName = "asuox";
bootMode = "legacy";
# TODO: make this a module
networking.networkmanager.wifi.powersave = false;
# Never change this!
system.stateVersion = "24.11";
}

33
hosts/asuox-acer/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "sd_mod" "sr_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "wl" ];
boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/95b00222-f6c7-4055-b4d8-9ef53ce69775";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

35
hosts/bananapi-rpi/configuration.nix Normal file
View File

@@ -0,0 +1,35 @@
{ config, pkgs, lib, ... }:
{
# NixOS wants to enable GRUB by default
boot.loader.grub.enable = false;
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
# !!! If your board is a Raspberry Pi 1, select this:
boot.kernelPackages = pkgs.linuxPackages_rpi;
# On other boards, pick a different kernel, note that on most boards with good mainline support, default, latest and hardened should all work
# Others might need a BSP kernel, which should be noted in their respective wiki entries
# nixos-generate-config should normally set up file systems correctly
imports = [ ./hardware-configuration.nix ];
# If not, you can set them up manually as shown below
/*
fileSystems = {
# Prior to 19.09, the boot partition was hosted on the smaller first partition
# Starting with 19.09, the /boot folder is on the main bigger partition.
# The following is to be used only with older images. Note such old images should not be considered supported anymore whatsoever, but if you installed back then, this might be needed
/*
"/boot" = {
device = "/dev/disk/by-label/NIXOS_BOOT";
fsType = "vfat";
};
*/
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
}

59
hosts/gullfoss-homelab/configuration.nix Normal file
View File

@@ -0,0 +1,59 @@
{ config, lib, pkgs, inputs, ... }:
{
imports =
[
# Loading the high level modules
./hardware-configuration.nix
# Loading modules
../../modules/server_gull
# Loading single modules
../../modules/misc/virt.nix
../../common.nix
../../users.nix
# Random (can be disabled)
# ../../modules/minecraft.nix
inputs.sops-nix.nixosModules.sops
];
# This is the sops setup and should be done here??
# Sops configuration and initialisation
sops.defaultSopsFile = ../../../secrets.yaml;
sops.defaultSopsFormat = "yaml";
# hard code the username here
sops.age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
# ensure a user is there to own the template
users.users.ddclient = {
isSystemUser = true;
group = "ddclient";
};
users.groups.ddclient = {};
# setup the templates to use them in services
sops.secrets.strato_dns_bitzz = {};
sops.templates."ddclient-temp" = {
owner = "ddclient";
# This is the main strato configuration
# use api6 for ipv6
content = ''
ssl=yes
protocol=dyndns2
use=web, web=api.ipify.org
server=dyndns.strato.com/nic/update
login=bitzz.de
password='${config.sops.placeholder.strato_dns_bitzz}'
bitzz.de,cloud.bitzz.de,app.bitzz.de
'';
};
networking.hostName = "gullfoss";
#system.copySystemConfiguration = true;
system.stateVersion = "24.11";
}

116
hosts/minoxy-workstation/configuration.nix Normal file
View File

@@ -0,0 +1,116 @@
{ config, lib, pkgs, ... }:
let
var22 = "22";
in
{
nixpkgs.config.allowUnfree = true;
imports = [
./hardware-configuration.nix
# Installing needed modules
../../modules/tweaks.nix
../../users.nix
../../modules/workstation.nix
# Disabling the powersaving to save the wifi?
# ../../modules/laptop.nix
../../common.nix
];
networking.hostName = "minoxy";
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# TODO: make this a module
hardware.graphics = {
enable = true;
};
# Load nvidia driver for Xorg and Wayland
services.xserver.videoDrivers = ["nvidia"];
nixpkgs.config.cudaSupport = true;
hardware.nvidia = {
# Modesetting is required.
modesetting.enable = true;
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# Enable this if you have graphical corruption issues or application crashes after waking
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
# of just the bare essentials.
powerManagement.enable = false;
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
#:powerManagement.finegrained = false;
# Use the NVidia open source kernel module (not to be confused with the
# independent third-party "nouveau" open source driver).
# Support is limited to the Turing and later architectures. Full list of
# supported GPUs is at:
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+
open = false;
# Enable the Nvidia settings menu,
# accessible via `nvidia-settings`.
nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU.
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
hardware.enableAllFirmware = true;
services = {
pipewire = {
enable = true;
wireplumber = {
enable = true;
};
alsa = {
enable = true;
support32Bit = true;
};
audio.enable = true;
pulse.enable = true;
jack.enable = false;
};
};
# Rest the Display manager for the computer machine
services.displayManager.ly.enable = lib.mkForce false;
services.xserver.displayManager.gdm.enable = true; # We are pre 25.11
# TODO MAke this work
services.colord.enable = true;
systemd.targets.sleep.enable = true;
systemd.targets.suspend.enable = true;
environment.systemPackages = with pkgs; [
# replace blender with this line
(blender.override {
cudaSupport = true;
})
go
libuuid
busybox
chromium
];
# Fix VSC Speech plugin by manually linking those
environment = {
sessionVariables = {
LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.libuuid.lib}/lib";
};
};
virtualisation.docker.enable = true;
virtualisation.docker.storageDriver = "btrfs";
# Never change this!
system.stateVersion = "25.05";
}

53
hosts/minoxy-workstation/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# FUll btrfs config
fileSystems."/" =
{ device = "/dev/disk/by-uuid/e52b1440-66f3-4129-b3c0-fba3491e2bbc";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/e52b1440-66f3-4129-b3c0-fba3491e2bbc";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/e52b1440-66f3-4129-b3c0-fba3491e2bbc";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/3091-F0BF";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/3e591e27-c6c5-4e28-900b-f899bc3d5e70"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp112s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

58
hosts/misox-workstation/configuration.nix Normal file
View File

@@ -0,0 +1,58 @@
{ config, lib, pkgs, inputs, ... }:
{
imports =
[
# Loading the high level modules
./hardware-configuration.nix
# Core of the config
../../modules/server
# Loading modules
../../common.nix
../../users.nix
../../modules/misc/virt.nix
#../../modules/rare/minecraft.nix
# set the keyboard for local dev
../../modules/tweaks.nix
# Load sops
inputs.sops-nix.nixosModules.sops
];
# This is the sops setup and should be done here??
# Sops configuration and initialisation
sops.defaultSopsFile = ../../../secrets.yaml;
sops.defaultSopsFormat = "yaml";
# hard code the username here
sops.age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
# ensure a user is there to own the template
users.users.ddclient = {
isSystemUser = true;
group = "ddclient";
};
users.groups.ddclient = {};
# setup the templates to use them in services
sops.secrets.strato_dns = {};
sops.templates."ddclient-temp" = {
owner = "ddclient";
# This is the main strato configuration
content = ''
ssl=yes
protocol=dyndns2
use=web, web=api6.ipify.org
server=dyndns.strato.com/nic/update
login=hahn1.one
password='${config.sops.placeholder.strato_dns}'
hahn1.one,cloud.hahn1.one,app.hahn1.one,dash.hahn1.one,grafana.hahn1.one,cool.hahn1.one,acmechallenge.hahn1.one
'';
};
#system.copySystemConfiguration = true;
system.stateVersion = "24.11";
}

38
hosts/misox-workstation/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/191c0c61-d012-4b35-8df9-75ae40d6004c";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/B425-9C77";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/94b57e8b-8417-4a1f-a9e4-b6c92cc26ba4"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp6s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

33
hosts/nixyos-asus/configuration.nix Normal file
View File

@@ -0,0 +1,33 @@
# Edit this configuration file to define what should be installed on
# your system.
{ lib, pkgs, ... }:
let
test_variable = "Hello world";
in {
imports = [
./hardware-configuration.nix
# Installing the common modules
# Still need to modularize this
# ../../modules/networking.nix
# Common modules
../../users.nix
../../modules/tweaks.nix
../../modules/laptop.nix
../../common.nix
];
# TEST INSERT
nixpkgs.config.allowUnfree = true;
networking.networkmanager.wifi.powersave = true;
networking.hostName = "nixyos";
system.stateVersion = "24.11"; # Did you read the comment?
}

33
hosts/nixyos-asus/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/881615c5-5c12-46c5-8bd2-1959f9347980";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/515E-BF68";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/07f75e57-a125-4619-b65b-c37fb425275f"; }
];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

541
hosts/stranox-strato/configuration.nix Normal file
View File

@@ -0,0 +1,541 @@
{ pkgs, inputs, config, ... }: {
imports = [
./hardware-configuration.nix
../../modules/rare/realmail.nix
../../modules/misc/virt.nix
#../../modules/server/collabora.nix
inputs.sops-nix.nixosModules.sops
];
networking.hosts = {
"127.0.0.1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
"::1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
# Ensure databases here
ensureDatabases = [ "mydatabase" ];
# TODO: integrate the old permission
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
#systemd.services.nixBuildTmuxSession = {
# description = "Start tmux nix build session if not already running";
# after = [ "network.target" ];
# path = with pkgs; [nix tmux ];
# serviceConfig = {
# Type = "oneshot";
# User = "jonas"; # Change this!
# };
# script = ''exec /home/jonas/projects/perdash/start_server.sh'';
#};
services.cron.enable = true;
# Sops setup
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
secrets = {
joncook = {};
jondash = {};
jondav = {};
jondavpass = {};
nextpass = {
group = "nextcloud";
owner = "nextcloud";
};
};
templates = {
"jontemp2" = {
owner = "nginx";
group = "nginx";
content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
};
"jontemp" = {
owner = "nginx";
group = "nginx";
content = ''"${config.sops.placeholder.joncook}" "yes";'';
};
"webdavconf" = {
owner = "webdav";
group = "webdav";
content = ''
#permissions: CRUD
#debug: true
#behindProxy: true
address: 0.0.0.0
auth: true
modify: true
port: 6065
#scope: /var/lib/webdav/
directory: /var/lib/webdav/
#rules: []
#permissions: R
users:
- password: '${config.sops.placeholder.jondavpass}'
username: ${config.sops.placeholder.jondav}
permissions: CRUD
'';
path = "/etc/webdav/config.yaml";
};
};
};
systemd.tmpfiles.rules = [
"d /var/lib/webdav 0750 webdav webdav -"
];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
networking.hostName = "stranox";
# setup syncthing
# This is not needed for now because one should only use syncthing when not having battery problems
services = {
syncthing = {
enable = true;
user = "jonas";
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/syncthing";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
"androidp" = { id = "UIJS6LQ-CQY7UWH-3KTJ2VH-3N73VNK-V6NWTIE-L4ZUEWW-R625SV4-YKMVKQY"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Its nice to have this declarativery and just work with the respectively ids
# "syncthing" = {
# "synct path = "/home/jonas/synced";
# "synct devices = [ "thinix" ];
# "synct ignorePerms = true;
# "synct versioning = {
# "synct type = "staggered";
# "synct };
# "synct};
"syncthingtest" = {
path = "/home/jonas/phonebla";
devices = [ "androidp" ];
ignorePerms = true;
versioning = {
type = "staggered";
};
};
};
};
};
};
services.radicale = {
enable = true;
settings.server.hosts = [ "127.0.0.1:5232" ];
settings.auth.type = "none";
};
services.nextcloud = {
enable = false;
# Use the defualt home
#home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
#trusted_domains = [""];
};
config = {
adminpassFile = config.sops.secrets.nextpass.path;
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
# configure users for small machine
users = {
defaultUserShell = pkgs.zsh;
groups = {
nginx = {};
nextcloud = {};
podman = {};
docker = {};
webdav = {};
};
users = {
nginx = {
isSystemUser = true;
group = "nginx";
};
webdav = {
isSystemUser = true;
group = "webdav";
};
nextcloud = {
isSystemUser = true;
group = "nextcloud";
};
root = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
};
jonas = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "podman" "webdav" "davfs2" ];
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
packages = with pkgs; [
neovim
pkgs.unstable.yazi
zsh
git
starship
eza
bat
lazygit
btop
gdu
fastfetch
sops
w3m
typst
tmux
wget
curl
pipx
fd
python3
nodejs
gcc
gnumake
findutils.locate
gradle
lua
todo-txt-cli
];
};
};
};
#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
# source the local httppass for the nginx login
environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;
networking.firewall = {
enable = true;
allowedTCPPorts = [6065 6443 3478 80 443 8080 ];
allowedUDPPorts = [3478 ];
};
# Services for the cloud
services = {
openssh.enable = true;
nginx = {
mapHashBucketSize = 128;
enable = true;
appendHttpConfig = ''
map $cookie_letmein $dash_hascookie {
include ${config.sops.templates.jontemp.path};
default "no";
}
map $dash_hascookie $dash_authentication {
"yes" "off";
default "Your credentials please";
}
'';
virtualHosts = {
"dash.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
extraConfig = ''
auth_basic $dash_authentication;
auth_basic_user_file /etc/nginx/htpasswd/jondash;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include ${config.sops.templates.jontemp2.path};
'';
};
};
"rad.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
};
"dev.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
proxyWebsockets = true;
};
};
# "qrank.hahn1.one" = {
# "qr forceSSL = true;
# "qr enableACME = true;
# "qr #basicAuth = { jonas = "1234"; };
# "qr locations."/" = {
# "qr proxyPass = "http://127.0.0.1:18765";
# "qr proxyWebsockets = true;
# "qr };
# "qr};
# Easter special for having a schintzeljagt that implements modern technology
"jagd.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
#"dev.hahn1.one" = {
# forceSSL = true;
# forenableACME = true;
# for#basicAuth = { jonas = "1234"; };
# forlocations."/" = {
# for proxyPass = "http://127.0.0.1:6065";
# for proxyWebsockets = true;
# for};
#};
#"dev.hahn1.one" = {
# forceSSL = true;
# enableACME = true;
# # This is of course not secure but better than to have nothing
# # First one need to read this code to access
# basicAuth = { dev = "dev"; };
# # use a dev proxypass to test some applications
# locations."/" = {
# proxyPass = "http://127.0.0.1:8888";
# proxyWebsockets = true;
# };
#};
"cloud.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://localhost:11000";
proxyWebsockets = true;
};
};
"sync.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:6065";
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
set $dest $http_destination;
if ($http_destination ~ "^https://dev.hahn1.one(?<path>(.+))") {
set $dest /$path;
}
proxy_set_header Destination $dest;
'';
proxyWebsockets = true;
};
};
"cool.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
# Default nginx site to felx
"hahn1.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
locations."/radicale/" = {
proxyPass = "http://127.0.0.1:5232/";
extraConfig = ''
proxy_set_header X-Script-Name /radicale;
proxy_pass_header Authorization;
'';
};
};
};
};
};
#networking.firewall.allowedTCPPorts = [
# 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
#];
#networking.firewall.allowedUDPPorts = [
# # 8472 # k3s, flannel: required if using multi-node for inter-node networking
#];
services.webdav.enable = true; # test turning off
services.webdav.user = "webdav";
services.webdav.group = "webdav";
#services.webdav.settings =
# {
# address = "0.0.0.0";
# port = 6065;
# #scope = "/var/lib/webdav/";
# directory = "/var/lib/webdav";
# modify = true;
# auth = true;
# users = [
# {
# username = "jonas";
# password = "jonasdav123";
# }
# ];
# };
services.webdav.configFile = "/etc/webdav/config.yaml" ;
# k3s testing
services.k3s = {
enable = true;
role = "server";
extraFlags = [
"--disable=traefik"
"--debug"
];
};
security.acme = {
acceptTerms = true;
defaults.email = "security@hahn1.one";
};
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
};
systemPackages = with pkgs; [
git
fastfetch
ripgrep
lazygit
unzip
fzf
zathura
# everywhere support
starship
zoxide
# add sync support
rsync
flock
unison
# curl for scripting
curl
];
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
nix-ld.enable = true;
};
# This was generated by the infect script I may just keep it this way for
# Security reasons
system.stateVersion = "23.11";
}

449
hosts/stranox-strato/configuration_new.nix Normal file
View File

@@ -0,0 +1,449 @@
{ pkgs, inputs, config, ... }: {
imports = [
./hardware-configuration.nix
../../modules/rare/realmail.nix
../../modules/misc/virt.nix
#../../modules/server/collabora.nix
inputs.sops-nix.nixosModules.sops
];
networking.hosts = {
"127.0.0.1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
"::1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
# Ensure databases here
ensureDatabases = [ "mydatabase" ];
# TODO: integrate the old permission
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
#systemd.services.nixBuildTmuxSession = {
# description = "Start tmux nix build session if not already running";
# after = [ "network.target" ];
# path = with pkgs; [nix tmux ];
# serviceConfig = {
# Type = "oneshot";
# User = "jonas"; # Change this!
# };
# script = ''exec /home/jonas/projects/perdash/start_server.sh'';
#};
services.cron.enable = true;
# Sops setup
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
secrets = {
joncook = {};
jondash = {};
jondav = {};
jondavpass = {};
nextpass = {
group = "nextcloud";
owner = "nextcloud";
};
};
templates = {
"jontemp2" = {
owner = "nginx";
group = "nginx";
content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
};
"jontemp" = {
owner = "nginx";
group = "nginx";
content = ''"${config.sops.placeholder.joncook}" "yes";'';
};
"webdavconf" = {
owner = "webdav";
group = "webdav";
content = ''
address: 127.0.0.1
port: 6065
# The directory that will be able to be accessed by the users when connecting.
# This directory will be used by users unless they have their own 'directory' defined.
# Default is '.' (current directory).
directory: /home/jonas/webdav
# The default permissions for users. This is a case insensitive option. Possible
# permissions: C (Create), R (Read), U (Update), D (Delete). You can combine multiple
# permissions. For example, to allow to read and create, set "RC". Default is "R".
permissions: RCUD
# noPassword: true
users:
# Example 'admin' user with plaintext password.
- username: ${config.sops.placeholder.jondav}
password: ${config.sops.placeholder.jondavpass}
'';
path = "/etc/webdav/config.yaml";
};
};
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
networking.hostName = "stranox";
# setup syncthing
# This is not needed for now because one should only use syncthing when not having battery problems
services = {
syncthing = {
enable = true;
user = "jonas";
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/syncthing";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Its nice to have this declarativery and just work with the respectively ids
# "syncthing" = {
# "synct path = "/home/jonas/synced";
# "synct devices = [ "thinix" ];
# "synct ignorePerms = true;
# "synct versioning = {
# "synct type = "staggered";
# "synct };
# "synct};
};
};
};
};
services.nextcloud = {
enable = false;
# Use the defualt home
#home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
#trusted_domains = [""];
};
config = {
adminpassFile = config.sops.secrets.nextpass.path;
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
# configure users for small machine
users = {
defaultUserShell = pkgs.zsh;
groups = {
nginx = {};
nextcloud = {};
podman = {};
docker = {};
webdav = {};
};
users = {
nginx = {
isSystemUser = true;
group = "nginx";
};
webdav = {
isSystemUser = true;
group = "webdav";
};
nextcloud = {
isSystemUser = true;
group = "nextcloud";
};
root = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
};
jonas = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "podman" ];
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
packages = with pkgs; [
neovim
pkgs.unstable.yazi
zsh
git
starship
eza
bat
lazygit
btop
gdu
fastfetch
sops
w3m
typst
tmux
wget
curl
pipx
fd
python3
nodejs
gcc
gnumake
findutils.locate
gradle
lua
todo-txt-cli
];
};
};
};
#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
# source the local httppass for the nginx login
environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;
networking.firewall = {
enable = true;
allowedTCPPorts = [6065 6443 3478 80 443 8080 ];
allowedUDPPorts = [3478 ];
};
# Services for the cloud
services = {
openssh.enable = true;
nginx = {
mapHashBucketSize = 128;
enable = true;
appendHttpConfig = ''
map $cookie_letmein $dash_hascookie {
include ${config.sops.templates.jontemp.path};
default "no";
}
map $dash_hascookie $dash_authentication {
"yes" "off";
default "Your credentials please";
}
'';
virtualHosts = {
"dash.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
extraConfig = ''
auth_basic $dash_authentication;
auth_basic_user_file /etc/nginx/htpasswd/jondash;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include ${config.sops.templates.jontemp2.path};
'';
};
};
"sync.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
proxyWebsockets = true;
};
};
# Easter special for having a schintzeljagt that implements modern technology
"jagd.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
#"dev.hahn1.one" = {
# forceSSL = true;
# forenableACME = true;
# for#basicAuth = { jonas = "1234"; };
# forlocations."/" = {
# for proxyPass = "http://127.0.0.1:6065";
# for proxyWebsockets = true;
# for};
#};
#"dev.hahn1.one" = {
# forceSSL = true;
# enableACME = true;
# # This is of course not secure but better than to have nothing
# # First one need to read this code to access
# basicAuth = { dev = "dev"; };
# # use a dev proxypass to test some applications
# locations."/" = {
# proxyPass = "http://127.0.0.1:8888";
# proxyWebsockets = true;
# };
#};
"cloud.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://localhost:11000";
proxyWebsockets = true;
};
};
"cool.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
"hahn1.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
};
};
};
#networking.firewall.allowedTCPPorts = [
# 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
#];
#networking.firewall.allowedUDPPorts = [
# # 8472 # k3s, flannel: required if using multi-node for inter-node networking
#];
services.k3s.enable = true; # Not required for problem solving
services.webdav.enable = true; # test turning off
services.webdav.user = "webdav";
services.webdav.group = "webdav";
services.webdav.configFile = "/etc/webdav/config.yaml" ;
services.k3s.role = "server";
services.k3s.extraFlags = toString [
# "--debug" # Optionally add additional args to k3s
];
security.acme = {
acceptTerms = true;
defaults.email = "security@hahn1.one";
};
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
};
systemPackages = with pkgs; [
git
fastfetch
ripgrep
lazygit
unzip
fzf
zathura
# everywhere support
starship
zoxide
# add sync support
rsync
flock
unison
# curl for scripting
curl
];
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
nix-ld.enable = true;
};
# This was generated by the infect script I may just keep it this way for
# Security reasons
system.stateVersion = "23.11";
}

377
hosts/stranox-strato/configuration_old.nix Normal file
View File

@@ -0,0 +1,377 @@
{ pkgs, inputs, config, ... }: {
imports = [
./hardware-configuration.nix
../../modules/rare/realmail.nix
../../modules/misc/virt.nix
#../../modules/server/collabora.nix
inputs.sops-nix.nixosModules.sops
];
networking.hosts = {
#"127.0.0.1" = ["cloud.hahn1.one" "cool.hahn1.one"];
#"::1" = ["cloud.hahn1.one" "cool.hahn1.one"];
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
# Ensure databases here
ensureDatabases = [ "mydatabase" ];
# TODO: integrate the old permission
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
#systemd.services.nixBuildTmuxSession = {
# description = "Start tmux nix build session if not already running";
# after = [ "network.target" ];
# path = with pkgs; [nix tmux ];
# serviceConfig = {
# Type = "oneshot";
# User = "jonas"; # Change this!
# };
# script = ''exec /home/jonas/projects/perdash/start_server.sh'';
#};
services.cron.enable = true;
# Sops setup
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
secrets = {
joncook = {};
jondash = {};
nextpass = {
group = "nextcloud";
owner = "nextcloud";
};
};
templates = {
"jontemp2" = {
owner = "nginx";
group = "nginx";
content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
};
"jontemp" = {
owner = "nginx";
group = "nginx";
content = ''"${config.sops.placeholder.joncook}" "yes";'';
};
};
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
networking.hostName = "stranox";
# setup syncthing
# This is not needed for now because one should only use syncthing when not having battery problems
services = {
syncthing = {
enable = true;
user = "jonas";
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/syncthing";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Its nice to have this declarativery and just work with the respectively ids
# "syncthing" = {
# "synct path = "/home/jonas/synced";
# "synct devices = [ "thinix" ];
# "synct ignorePerms = true;
# "synct versioning = {
# "synct type = "staggered";
# "synct };
# "synct};
};
};
};
};
services.nextcloud = {
enable = false;
# Use the defualt home
#home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
#trusted_domains = [""];
};
config = {
adminpassFile = config.sops.secrets.nextpass.path;
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
# configure users for small machine
users = {
defaultUserShell = pkgs.zsh;
groups = {
nginx = {};
nextcloud = {};
podman = {};
docker = {};
};
users = {
nginx = {
isSystemUser = true;
group = "nginx";
};
nextcloud = {
isSystemUser = true;
group = "nextcloud";
};
root = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
};
jonas = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "podman" ];
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
packages = with pkgs; [
neovim
pkgs.unstable.yazi
zsh
git
starship
eza
bat
lazygit
btop
gdu
fastfetch
sops
w3m
typst
tmux
wget
curl
pipx
fd
python3
nodejs
gcc
gnumake
findutils.locate
gradle
lua
todo-txt-cli
];
};
};
};
#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
# source the local httppass for the nginx login
environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;
networking.firewall = {
enable = true;
allowedTCPPorts = [3478 80 443 8080 ];
allowedUDPPorts = [3478 ];
};
# Services for the cloud
services = {
openssh.enable = true;
nginx = {
mapHashBucketSize = 128;
enable = true;
appendHttpConfig = ''
map $cookie_letmein $dash_hascookie {
include ${config.sops.templates.jontemp.path};
default "no";
}
map $dash_hascookie $dash_authentication {
"yes" "off";
default "Your credentials please";
}
'';
virtualHosts = {
"dash.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
extraConfig = ''
auth_basic $dash_authentication;
auth_basic_user_file /etc/nginx/htpasswd/jondash;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include ${config.sops.templates.jontemp2.path};
'';
};
};
"sync.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
proxyWebsockets = true;
};
};
# Easter special for having a schintzeljagt that implements modern technology
"jagd.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
"dev.hahn1.one" = {
forceSSL = true;
enableACME = true;
# This is of course not secure but better than to have nothing
# First one need to read this code to access
basicAuth = { dev = "dev"; };
# use a dev proxypass to test some applications
locations."/" = {
proxyPass = "http://127.0.0.1:8888";
proxyWebsockets = true;
};
};
"cloud.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://localhost:11000";
proxyWebsockets = true;
};
};
"cool.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
"hahn1.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
};
};
};
};
security.acme = {
acceptTerms = true;
#TODO: activate this mail
defaults.email = "security@hahn1.one";
};
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
};
systemPackages = with pkgs; [
git
fastfetch
lazygit
unzip
fzf
zathura
# everywhere support
starship
zoxide
# add sync support
rsync
flock
unison
# curl for scripting
curl
];
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
nix-ld.enable = true;
};
# This was generated by the infect script I may just keep it this way for
# Security reasons
system.stateVersion = "23.11";
}

9
hosts/stranox-strato/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
}

1
hosts/stranox-strato/htpasswd Normal file
View File

@@ -0,0 +1 @@
jonas:$2y$05$PQhZXP4kXq/hGvPwMQQ6A.G9T4VnxG4PJE4RG16D7z/rZffd6ezYu

191
hosts/thinix-thinkpad/configuration.nix Normal file
View File

@@ -0,0 +1,191 @@
# Configuratoin for my thinkpad t470s
{ pkgs, config, inputs, ... }:
{
imports = [
# Import neccessities
./hardware-configuration.nix
# Import own modules
../../users.nix
# ../../modules/workstation.nix
../../modules/tweaks.nix
../../modules/laptop.nix
../../common.nix
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
templates = {
"davtemp" = {
owner = "root";
content = ''${config.sops.placeholder.davurl} ${config.sops.placeholder.jondav} ${config.sops.placeholder.jondavpass}'';
mode = "0600";
path = "/etc/davfs2/secrets";
};
};
secrets = {
davurl = {
owner = "jonas";
};
jondav = {
owner = "jonas";
};
jondavpass = {
owner = "jonas";
};
};
};
networking.firewall.allowedTCPPorts = [
# Opening ssh and the web
80
443
# Dev ports
8888
2345
8080
];
programs.gnupg.agent = {
enable = true;
pinentryPackage = with pkgs; pinentry-all;
enableSSHSupport = true;
};
# Scanning over the network support
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.sane-airscan ];
hardware.sane.disabledDefaultBackends = [ "escl" ];
services.udev.packages = [ pkgs.sane-airscan ];
services.avahi.enable = true;
services.avahi.nssmdns = true;
services.davfs2.enable = true;
# ensure the mountpoint directory exists
systemd.tmpfiles.rules = [
"d /mnt/webdav 0755 jonas users -"
#"d /var/cache/davfs2/sync.hahn1.one+mnt-webdav+jonas 0700 jonas users -"
];
# Just works
systemd.mounts = [
{
description = "Webdav mount point";
#after = [ "network-online.target" ];
wants = [ "network-online.target" ];
what = "https://sync.hahn1.one";
where = "/mnt/webdav";
type = "davfs";
options = "uid=1000,gid=1000,file_mode=0664,dir_mode=2775,_netdev";
mountConfig.TimeoutSec = "15s";
#wantedBy = [ "multi-user.target" ];
}
];
# systemd.automounts = [
# {
# where = "/mnt/webdav";
# wantedBy = [ "multi-user.target" ];
# automountConfig = {
# TimeoutIdleSec = "20m";
# };
# }
# ];
nixpkgs.config.allowUnfree = true;
services = {
syncthing = {
enable = true;
user = "jonas";
# Have to set the bandwidth for the syncing manually for laptops
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/synced";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = false; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"stranox" = { id = "KTFN5YR-NU2Y6EV-WU6D635-H2AUZTJ-KL6UIVE-L7N2EU5-GPY34N7-ZQ36MAI"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Auto opt in for the sync folder that is on the server
# Further down the line you can split your sync setup into multiple folders
## "synced" = {
# path = "/home/jonas/syncedokay";
# devices = [ "stranox" ];
# ignorePerms = true;
# #fsWatcherDelayS="10";
# # Try to save battery with this
# # Remember to also look at options that are not in the
# # nixos options search
# fsWatcherEnabled = true;
# #disableFsync = true;
# pullerPauseS = 600;
# rescanIntervalS = 1200;
# versioning = {
# type = "staggered";
# };
#};
};
};
};
};
###### TEMP AREA
# security.krb5 = {
# enable = true;
# settings = {
# libdefaults = {
# default_realm = "UNI-GOETTINGEN.DE"; # Replace with actual realm
# };
# };
# };
# Thinkpad specific fingerprint reader does not work yet
# For further information see: https://gitlab.freedesktop.org/3v1n0/libfprint-tod-vfs0090
#services.fprintd = {
# enable = true;
# tod = {
# enable = true;
# driver = pkgs.libfprint-2-tod1-vfs0090;
# };
#};
#####
networking.hostName = "thinix";
batMode = "double";
networking = {
networkmanager = {
wifi.powersave = true;
};
};
services.dnsmasq.enable = true;
# Setting up swap in case of emergency
swapDevices = [
{
device = "/swapfile";
size = 4096; # size in MB (4096 MB = 4 GB)
}
];
# this does not work with flakes
#system.copySystemConfiguration = true;
system.stateVersion = "24.11";
}

30
hosts/thinix-thinkpad/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,30 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" ];
fileSystems = {
"/" =
{ device = "/dev/disk/by-uuid/46a20748-374f-443c-813a-b79408520076";
fsType = "ext4";
};
"/boot" =
{ device = "/dev/disk/by-uuid/4ED9-4D41";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

46
install.sh Executable file
View File

@@ -0,0 +1,46 @@
#!/bin/sh
# Script to link the configuration of a host to the current directory
# to the root to make access easier
#
# This does not need to be used when flakes is enabled
# Yes need for nvim integration of nixos
cd $HOME/configuration/nixos
directory="hosts"
# List all folder names in the specified directory
echo "Known hosts:"
folders=()
counter=1
for folder in "$directory"/*/; do
if [ -d "$folder" ]; then
folder_name=$(basename "$folder")
folders+=("$folder_name")
echo "$counter: $folder_name"
((counter++))
fi
done
echo "Please select a host (number):"
read -p "> " folder_number
# Validate the selection
if ! echo "$folder_number" | grep -Eq '^[1-9][0-9]*$'; then
echo "Invalid selection: You must enter a positive integer."
exit 1
fi
folder_index=$((folder_number - 1))
if [ "$folder_index" -lt 0 ] || [ "$folder_index" -ge "${#folders[@]}" ]; then
echo "Invalid selection: Number out of range."
exit 1
fi
selected_folder="${folders[$folder_index]}" # Use the 0-based index
selected_folder_path="$directory/$selected_folder"
ln -sf "$selected_folder_path/configuration.nix" "configuration.nix"
echo "Switched to host configuration in the current directory."

108
modules/common.nix Normal file
View File

@@ -0,0 +1,108 @@
{ pkgs, ... }:
{
imports = [
./modules/smalls/bootmode.nix
];
services.locate.enable = true;
services.printing.enable = true;
# nix fun
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
NIXOS_OZONE_WL = "1";
QTWEBENGINE_CHROMIUM_FLAGS="--blink-settings=darkModeEnabled=true";
QT_QPA_PLATFORMTHEME = "qt6ct"; # kvantum for dolphin and qt for sioyek??
WLR_NO_HARDWARE_CURSORS= "1";
QT_STYLE_OVERRIDE = "kvantum";
QT_QPA_PLATFORM="xcb";
};
systemPackages = with pkgs; [
git
fastfetch
tor-browser
spotify
android-studio
lazygit
unzip
# everywhere support
starship
zoxide
kdePackages.qtsvg
# add sync support
rsync
flock
# curl for scripting
curl
];
pathsToLink = [
"/share/icons"
];
};
networking = {
networkmanager = {
enable = true;
};
};
fonts.packages = with pkgs; [
nerd-fonts.fira-code
nerd-fonts.droid-sans-mono
noto-fonts
noto-fonts-cjk-sans
noto-fonts-emoji
fira-code
fira-code-symbols
];
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
services.displayManager.ly = {
enable = true;
settings = {
clock = "%c";
box_title = "HahnComp";
clear_password = true;
default_input = "password";
};
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
hyprland.enable = true;
hyprlock.enable = true;
nix-ld.enable = true;
firefox.enable = true;
};
}

28
modules/hardware/bootmode.nix Normal file
View File

@@ -0,0 +1,28 @@
{ config, lib, ... }:
let
inherit (lib) mkOption types;
in
{
options.bootMode = mkOption {
type = types.enum [ "uefi" "legacy" ];
default = "uefi";
description = "Select boot mode: 'uefi' or 'legacy'.";
};
config = {
boot.consoleLogLevel = 0;
boot.kernelParams = [ "quiet" "udev.log_level=3" ];
boot.loader = if config.bootMode == "uefi" then {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
timeout = 0;
} else {
grub.enable = true;
grub.device = "/dev/sda"; # <- replace with actual target disk
timeout = 0;
};
};
}

20
modules/hardware/gaming.nix Normal file
View File

@@ -0,0 +1,20 @@
{ pkgs, ... }:
{
########## TEsting
# Load nvidia driver for Xorg and Wayland
services.steam.enable = true;
services.xserver.videoDrivers = ["nvidia"];
# Enable OpenGL
# Optional nvidia
hardware.graphics = {
enable = true;
};
hardware.nvidia = {
modesetting.enable = true;
open = false;
};
};

95
modules/hardware/laptop.nix Normal file
View File

@@ -0,0 +1,95 @@
{ pkgs, config, lib, ... }:
let
inherit (lib) mkOption types;
in
{
options.batMode = mkOption {
type = types.enum [ "single" "double" ];
default = "single";
description = "Select 'single' for one battery and 'double' for dual setup";
};
# Dont run a tandem with tlp
#options.services.auto-cpufreq.enable = true;
#options.services.auto-cpufreq.settings = {
# battery = {
# governor = "powersave";
# turbo = "never";
# };
# charger = {
# governor = "performance";
# turbo = "auto";
# };
#};
config = {
powerManagement.powertop.enable = true;
services.upower = {
enable = true;
# In accordance with the waybar battery colors
percentageLow = 30;
percentageCritical = 20;
percentageAction = 10;
#percentageAction = "PowerOff";
criticalPowerAction = "PowerOff"; # This can destroy work
usePercentageForPolicy = true;
};
services.tlp = if config.batMode == "single" then {
enable = true;
settings = {
#Optional helps save long term battery health
# Going almost full because the other bat is also charged
# 0 NEW first
START_CHARGE_THRESH_BAT0 = 65;
STOP_CHARGE_THRESH_BAT0 = 85;
CPU_SCALING_GOVERNOR_ON_AC = "performance";
#CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
#CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_MIN_PERF_ON_AC = 0;
CPU_MAX_PERF_ON_AC = 100;
CPU_MIN_PERF_ON_BAT = 0;
CPU_MAX_PERF_ON_BAT = 65;
};
} else {
enable = true;
settings = {
# Have to keep it this way or
# Otherwise the buil in stop at 5% stops worky
# The problem is here that only the second battery gets seen from the charging cap
# Workaround. Just charge the battery when you use it and then turn manually the battery off
# I mean it is the state you generate now that you can use on any laptop. so
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_MIN_PERF_ON_AC = 0;
CPU_MAX_PERF_ON_AC = 100;
CPU_MIN_PERF_ON_BAT = 0;
CPU_MAX_PERF_ON_BAT = 75;
# 0 NEW first
START_CHARGE_THRESH_BAT0 = 60;
STOP_CHARGE_THRESH_BAT0 = 85;
# 1 OLD second
START_CHARGE_THRESH_BAT1 = 60;
STOP_CHARGE_THRESH_BAT1 = 85;
};
};
};
}

21
modules/hardware/virt.nix Normal file
View File

@@ -0,0 +1,21 @@
{ pkgs, ... }:
{
# Enable common container config files in /etc/containers
# virtualisation.containers.enable = true;
# virtualisation = {
# podman = {
# enable = true;
# dockerSocket.enable = true;
# dockerCompat = true;
# defaultNetwork.settings.dns_enabled = true;
# };
# };
#
# # Useful other development tools
# environment.systemPackages = with pkgs; [
# dive # look into docker image layers
# podman-tui # status of containers in the terminal
# docker-compose # start group of containers for dev
# ];
virtualisation.docker.enable = true;
}

58
modules/hardware/workstation.nix Normal file
View File

@@ -0,0 +1,58 @@
{ pkgs, ... }:
{
# Experiments with services
systemd = {
timers."sync-manage-hourly" = {
enable = false;
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10s"; # Start 10 seconds after boot
OnUnitActiveSec = "1h"; # Repeat every hour
Unit = "sync-manage.service"; # Points to the service unit
};
};
services = {
"shutdown-script" = {
enable = false;
description = "Run custom script on shutdown";
after = [ "shutdown.target" ]; # Ensure it runs during shutdown
script = "/home/jonas/projects/scripts/check_git.sh"; # Specify the path to your script
serviceConfig = {
Type = "oneshot";
User = "jonas"; # Run as jonas
WorkingDirectory = "/home/jonas"; # Set working directory to jonas' home
execStop = "/home/jonas/projects/scripts/check_git.sh"; # Specify the path to your script
# To ensure the script finishes before the system powers off
TimeoutStopSec = "30"; # You can adjust this if necessary
};
# To ensure the script finishes before the system powers off
};
"sync-manage" = {
script = ''
# Run the script from jonas' home directory
/home/jonas/projects/scripts/sync_manage.sh
'';
serviceConfig = {
Type = "oneshot";
User = "jonas"; # Run as jonas
WorkingDirectory = "/home/jonas"; # Set working directory to jonas' home
};
};
"sync-manage-shutdown" = {
enable = false;
script = ''
# Check if the system is connected to Wi-Fi
/home/jonas/projects/scripts/sync_manage.sh
'';
serviceConfig = {
Type = "oneshot";
User = "jonas"; # Run as jonas
ExecStop = "/usr/bin/true";
RemainAfterExit = true;
};
};
};
};
}

18
modules/other/minecraft.nix Normal file
View File

@@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }:
{
services.minecraft-server = {
enable = true;
eula = true;
openFirewall = true;
declarative = true;
serverProperties = {
server-port = 25565;
gamemode = 0;
max-players = 5;
motd = "NixOS Minecraft server on misox!";
allow-cheats = true;
};
};
}

64
modules/other/xremap.nix Normal file
View File

@@ -0,0 +1,64 @@
{ pkgs, inputs, ... }:
{
imports = [
inputs.xremap-flake.nixosModules.default
];
services.xremap = {
withHypr = true;
userName = "jonas";
config = {
#--------------- INFO -----------------
# For the MOD2- part, the following prefixes can be used (also case-insensitive):
# Shift: SHIFT-
# Control: C-
# Alt: M-
# Windows: SUPER-
# You can use multiple prefixes like C-M-Shift-a.
# You may also suffix them with _L or _R (case-insensitive) so that remapping is triggered only on a left or right modifier, e.g. Ctrl_L-a.
#
# KEYS: https://github.com/emberian/evdev/blob/2d020f11b283b0648427a2844b6b980f1a268221/src/scancodes.rs#L26-L572
modmap = [
{
name = "Capslock -> Esc and Ctrl";
remap = {
"CAPSLOCK" = {
"alone" = "ESC";
"held" = "CTRL_L";
"alone_timeout_millis"= 1000;
};
"ESC" = "CAPSLOCK";
# Disable this
"CTRL_L" = {
"alone" = "RESERVED";
"held" = "RESERVED";
};
};
}
{
name = "Switch Super and Alt";
remap = {
"SUPER_L" = {
"alone" = "ALT_L";
"held" = "ALT_L";
};
"ALT_L" = {
"alone" = "SUPER_L";
"held" = "SUPER_L";
};
};
}
];
#keymap = [
# {
#name = "Remove the key next to z on a german keyboard";
#remap = {
#"103ND" = "RESERVED";
#};
# For the cutting key KEY_SYSRQ RIGHTALT for altGR
# }
#];
};
};
}

33
modules/server/cloud.nix Normal file
View File

@@ -0,0 +1,33 @@
{ config, lib, pkgs, ... }:
{
# Setting the filesystem for nextcloud
fileSystems."/mnt/nextcloudStorage" = {
device = "/dev/disk/by-label/nextcloud";
options = [
"users"
];
};
# Activating the nextcloud servce not optimized
environment.etc."nextcloud-admin-pass".text = "PWD";
services.nextcloud = {
enable = true;
home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
trusted_domains = ["misox"];
};
config = {
adminpassFile = "/etc/nextcloud-admin-pass";
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) richdocuments news contacts calendar tasks;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
}

55
modules/server/collabora.nix Normal file
View File

@@ -0,0 +1,55 @@
{ config, lib, pkgs, inputs, ... }:
{
# setup collabora config declaratively
systemd.services.nextcloud-config-collabora = let
inherit (config.services.nextcloud) occ;
wopi_url = "http://[::1]:${toString config.services.collabora-online.port}";
public_wopi_url = "https://cool.hahn1.one";
wopi_allowlist = lib.concatStringsSep "," [
"127.0.0.1"
"::1"
];
in {
wantedBy = ["multi-user.target"];
after = ["nextcloud-setup.service" "coolwsd.service"];
requires = ["coolwsd.service"];
script = ''
${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
${occ}/bin/nextcloud-occ config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
${occ}/bin/nextcloud-occ richdocuments:setup
'';
serviceConfig = {
Type = "oneshot";
User = "nextcloud";
};
};
# setup the collabora server
services.collabora-online = {
enable = true;
port = 9980; # default
settings = {
# Rely on reverse proxy for SSL
ssl = {
enable = false;
termination = true;
# this is for dev purposes
# can be enabled in production when there is a real certificate
ssl_verification = true;
};
# Listen on loopback interface only, and accept requests from ::1
net = {
listen = "loopback";
post_allow.host = ["::1"];
};
# Set FQDN of server
server_name = "cool.hahn1.one";
};
};
}

16
modules/server/ddclient.nix Normal file
View File

@@ -0,0 +1,16 @@
{ pkgs, config, lib, inputs, ...}:
{
imports =
[
#inputs.sops-nix.nixosModules.sops
];
# also one can access the path and then cat it
services.ddclient = {
enable = true;
configFile = config.sops.templates."ddclient-temp".path;
};
}

20
modules/server/default.nix Normal file
View File

@@ -0,0 +1,20 @@
{ pkgs, config, lib, inputs, ...}:
let
thisDir = ./.;
nixFiles = builtins.attrNames (builtins.readDir thisDir);
moduleFiles = builtins.filter (name: builtins.match ".*\\.nix" name != null && name != "default.nix") nixFiles;
modules = builtins.map (name: thisDir + "/${name}") moduleFiles;
in {
# Import all the old modules
imports = modules;
############ TEMP Module inputs
# Got from here https://nixos.wiki/wiki/OpenLDAP#Setting_up_a_server_with_SSL_certs_via_ACME
}

144
modules/server/monitor.nix Normal file
View File

@@ -0,0 +1,144 @@
# MONITORING: services run on loopback interface
# nginx reverse proxy exposes services to network
{ config, lib, pkgs, ... }:
let
grafana_port = 7000;
in {
# Logging metrics
# Disable loki
services.loki = {
enable = false;
configuration = {
server.http_listen_port = 3100;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
};
schema_config = {
configs = [{
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}];
};
storage_config = {
tsdb_shipper = {
active_index_directory = "/var/lib/loki/tsdb-shipper-active";
cache_location = "/var/lib/loki/tsdb-shipper-cache";
cache_ttl = "24h";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
};
# Disable
services.promtail = {
enable = false;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [{
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}];
scrape_configs = [{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "misox";
};
};
relabel_configs = [{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}];
}];
};
};
# System metrics
services.prometheus = {
enable = true;
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" "tcpstat" "processes" "interrupts" ];
port = 9100;
};
};
#globalConfig.scrape_interval = "1m";
scrapeConfigs = [{
job_name = "node";
static_configs = [{
targets = [
"localhost:${toString config.services.prometheus.exporters.node.port}"
];
}];
}];
};
# Dashboard
services.grafana = {
enable = true;
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3000;
domain = "grafana.misox";
#root_url = "http://misox:${toString grafana_port}/";
};
};
};
}

50
modules/server/networking.nix Normal file
View File

@@ -0,0 +1,50 @@
{ config, lib, pkgs, ... }:
{
networking.hostName = "misox"; # Define your hostname.
# networking.interfaces.eno1 = {
# Assign a static IPv6 address (same as your example)
# ipv6.addresses = [
# {
# address = "2003:ca:7f20:cf00:dd2d:ebde:44e6:7eca"; # Static IPv6 address
# prefixLength = 64; # Prefix length (usually 64)
# }
# ];
#
# Enable temporary addresses (privacy addresses) as well
#ipv6.useTempAddresses = true;
#};
# The ping behind fritzbox still does not work
networking.enableIPv6 = true;
networking.firewall.allowedTCPPorts = [
# Opening ssh and the web
22
80
443
############
# Jonas Stuff
# LifeDash Deploy
8000
];
# Rewrite for local host support
# to make this global you need to confifure a custom dns
networking.hosts = {
"127.0.0.1" = [ "hahn1.one" "cloud.hahn1.one" "cool.hahn1.one" "grafana.hahn1.one"];
"::1" = [ "hahn1.one" "cloud.hahn1.one" "cool.hahn1.one" "grafana.hahn1.one"];
#"127.0.0.1" = ["nextcloud.misox" "default.misox" "grafana.misox" "collabora.misox"];
#"::1" = ["nextcloud.misox" "grafana.misox" "default.misox" "collabora.misox"];
};
networking.networkmanager.wifi.powersave = false;
}

107
modules/server/nginx.nix Normal file
View File

@@ -0,0 +1,107 @@
{ config, lib, pkgs, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "jonashahn1@gmx.net";
#defaults.dnsProvider = "route53";
#defaults.dnsResolver = "2606:4700:4700::1111";
certs = {
"cloud.hahn1.one" = {
webroot = "/var/lib/acme/.challenges";
group = "nginx";
};
};
};
users.users.nginx.extraGroups = [ "acme" ];
# Setting the port for nextcloud
services.nginx = let
# support for local vars
mkDevCert = name: commonName:
pkgs.runCommandLocal "${name}-dev-cert" { buildInputs = [ pkgs.openssl ]; } ''
mkdir -p $out
openssl req -x509 -newkey rsa:4096 -keyout $out/key.pem -out $out/cert.pem -days 3650 -nodes \
-subj "/CN=${commonName}"
'';
# dev certs
# collaboraCert = mkDevCert "collabora-misox-cert" "collabora.misox";
# nextCert = mkDevCert "nextcloud-misox-cert" "nextcloud.misox";
# defCert = mkDevCert "default-misox-cert" "misox";
# default domain to use in the configuration
domain = "hahn1.one";
in {
# enable nginx
enable = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
# setup virtual hosts
virtualHosts = {
# Expose nextcloud
# this is how to setup a dev cert route with ssl
#"${config.services.nextcloud.hostName}" = {
# enableACME = false;
# forceSSL = true;
# sslCertificate = "${nextCert}/cert.pem";
# sslCertificateKey = "${nextCert}/key.pem";
#};
"${config.services.nextcloud.hostName}" = {
enableACME = true;
addSSL = true;
};
"grafana.${domain}" = {
enableACME = true;
addSSL = true;
# this is to create a default listener
#listen = [{ addr = "0.0.0.0"; port = grafana_port;}];
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
"acmechallenge.${domain}" = {
# Catchall vhost, will redirect users to HTTPS for all vhosts
serverAliases = [ "*.example.com" ];
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
return = "301 https://$host$request_uri";
};
};
"cool.${domain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
# This is the last and therefor occupies the http://misox?
# NO!
"${domain}" = {
default = true;
enableACME = true;
addSSL = true;
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
};
};
};
}

114
modules/server/services.nix Normal file
View File

@@ -0,0 +1,114 @@
{ pkgs, config, lib, inputs, ...}:
{
# figure out how this works
services.openldap = {
enable = true;
/* enable plain connections only */
urlList = [ "ldap:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=example,dc=com";
/* your admin account, do not use writeText on a production system */
olcRootDN = "cn=admin,dc=example,dc=com";
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcAccess = [
/* custom access rules for userPassword attributes */
''{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
/* allow read on anything else */
''{1}to *
by * read''
];
};
};
};
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
ensureDatabases = [ "mydatabase" ];
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
# TODO: need to configure this
services.samba = {
enable = true;
openFirewall = true;
settings = {
global = {
"workgroup" = "WORKGROUP";
"server string" = "smbnix";
"netbios name" = "smbnix";
"security" = "user";
#"use sendfile" = "yes";
#"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "192.168.0. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
"public" = {
"path" = "/mnt/Shares/Public";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "username";
"force group" = "groupname";
};
"private" = {
"path" = "/mnt/Shares/Private";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "username";
"force group" = "groupname";
};
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
services.cron = {
enable = true;
systemCronJobs = [
"*/5 * * * * root date >> /tmp/cron.log"
];
};
}

21
modules/services/mail.nix Normal file
View File

@@ -0,0 +1,21 @@
{ config, ... }: {
services.postfix = {
enable = true;
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
sslCert = config.security.acme.certs."lists.example.org".directory + "/full.pem";
sslKey = config.security.acme.certs."lists.example.org".directory + "/key.pem";
config = {
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
};
};
services.mailman = {
enable = true;
serve.enable = true;
hyperkitty.enable = true;
webHosts = ["lists.example.org"];
siteOwner = "mailman@example.org";
};
services.nginx.virtualHosts."lists.example.org".enableACME = true;
#networking.firewall.allowedTCPPorts = [ 25 80 443 ];
}

51
modules/services/realmail.nix Normal file
View File

@@ -0,0 +1,51 @@
{ config, pkgs, ... }: {
imports = [
(builtins.fetchTarball {
# Pick a release version you are interested in and set its hash, e.g.
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.05/nixos-mailserver-nixos-25.05.tar.gz";
# To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
# release="nixos-25.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
sha256 = "0jpp086m839dz6xh6kw5r8iq0cm4nd691zixzy6z11c4z2vf8v85";
})
];
mailserver = {
enable = true;
fqdn = "mail.hahn1.one";
domains = [ "hahn1.one" ];
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"jonas@hahn1.one" = {
# mail4jonas
hashedPassword = "$2b$05$aOMZAUvp4p42su99UwQ0FeKPTVKrHBJX1w7IBG9J39rSjSqyT5Y7C";
aliases = ["postmaster@hahn1.one" "j@hahn1.one"];
};
"security@hahn1.one" = {
# mail4jonas
hashedPassword = "$2b$05$aOMZAUvp4p42su99UwQ0FeKPTVKrHBJX1w7IBG9J39rSjSqyT5Y7C";
aliases = ["sec@hahn1.one"];
};
"christiane@hahn1.one" = {
# mail4jonas
hashedPassword = "$2b$05$nfE1Iou57TvnAH.BfFdsEOsrbxZDovNPVme3PTG/ZMAG3T6OC968q";
aliases = ["ch@hahn1.one"];
};
"horst@hahn1.one" = {
# mail4jonas
hashedPassword = "$2b$05$nfE1Iou57TvnAH.BfFdsEOsrbxZDovNPVme3PTG/ZMAG3T6OC968q";
aliases = ["ho@hahn1.one"];
};
"theo@hahn1.one" = {
# mail4jonas
hashedPassword = "$2b$05$nfE1Iou57TvnAH.BfFdsEOsrbxZDovNPVme3PTG/ZMAG3T6OC968q";
aliases = ["th@hahn1.one"];
};
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = "acme-nginx";
};
}

45
secrets.yaml Normal file
View File

@@ -0,0 +1,45 @@
hello: ENC[AES256_GCM,data:k1EMjZbnlcpYw5pcRtQHGDfa/O++mQfxdr9vBHx+UFVFbofKaCKGEIdrVUE16Q==,iv:ahDFZ2w9BIpIANQSU02lNVx/iSUJD5PhlLATAjQmEdY=,tag:w5+8IWG8zb211Vc+UTwg3g==,type:str]
example_key: ENC[AES256_GCM,data:4CVDitfwYOtRsALv7w==,iv:vIEkeLKQCpMeyP/Mp11vQjZypzo0zzLF7anzuFWoDUY=,tag:UUbIEdXm/gDxibO3TfhXBA==,type:str]
#ENC[AES256_GCM,data:hwfnw+hvTTbmHlaWYWoLAw==,iv:88K6o0ZZu4ZuARI550FtyhoZ10iFAzTj29vz1bA4Bck=,tag:Fc9gf5OhVpMwiqvE9CfFGg==,type:comment]
example_array:
- ENC[AES256_GCM,data:/iY4JlQgSbdFm55zIaI=,iv:4oiPSEreBgBnjHi2kCHpoXwtbeE/22g190ZK/Jbz7zM=,tag:O7BBYRRpY0JauGoSirsxrg==,type:str]
- ENC[AES256_GCM,data:LyF7/r3tcUNx/K9q5Bc=,iv:2ZLTzW2SjqgtxSANvondkcTKYHHkvydg3k7aGQJKyjs=,tag:II6Xhhd7c2D1QAxooVwMjQ==,type:str]
example_number: ENC[AES256_GCM,data:de+xGQ8Pb450jw==,iv:3WbXWQ0YyxTaLx/+7yA2R+M7n/0ZyJmSsLuxiAaq/m8=,tag:a4rmGu/Df4pZWMarhCuM8Q==,type:float]
example_booleans:
- ENC[AES256_GCM,data:9PWfow==,iv:hfaqc++IWghsUxJv87L8wd77yDsntZnyQAcVko2HKCs=,tag:qmriScWcH8zDeArJQPX/vg==,type:bool]
- ENC[AES256_GCM,data:lz3qG1I=,iv:2+nsk/nyNyj2wt38rUjher78K0TbNptdQuAaxfdKCGg=,tag:O5EZqszgq0UClHe8B15cbA==,type:bool]
myservice:
my_subdir:
my_secret: ENC[AES256_GCM,data:pcuzeFjjOHRz,iv:LS237ulXm9ny9NTgtOwB9NuZFi+iOS7FF3PUynYn2+A=,tag:1CQhg8qTJEOYcUnGHH6igg==,type:str]
#ENC[AES256_GCM,data:oMysXorqjBLn7l958hU8VNHMTt8W9OiSBw==,iv:PkYp5iJDnHh1eXEx7rDiqktrJT72YqoJ23YO83ccISw=,tag:KOqkGcK+uoJm1ysHX7Ju8g==,type:comment]
strato_dns: ENC[AES256_GCM,data:r1EkuHQaBZavJ4gigWQWiuUofJDdZilV7Q==,iv:CApwM3Cxu4ouM/XRA0pSx8djZdFumHqDn1Aek6blP5Y=,tag:BZwXnb4UxTXh6hFmnEAvtw==,type:str]
strato_dns_bitzz: ENC[AES256_GCM,data:RvDhxUpVuxomxJf3ztnDAcz8bA==,iv:4CsTQOIkooWMaMUhDHlTiqY/cCMY/Mq30JvqIIGuvtk=,tag:o8l74idKgCDcYNU7Xwscaw==,type:str]
jondash: ENC[AES256_GCM,data:HMzqDX0h9K9t,iv:n2wvnotpc8GFa8cxRaXS7n+4D0LcdJqDZnLnSocs4vQ=,tag:3UUiJwCQvQIka56A5q+B9w==,type:str]
joncook: ENC[AES256_GCM,data:bXBOZcT56U37SMGr1Kn9Fo8liebhYK5IWQw/sdDmiKpR3UYfNI83M6/k0LcGgzQ4hBk=,iv:mBu8SkcmrB4GwgkgOjnKNrrJzCEoOklhwpKNmlHzja0=,tag:5Har5T/1YGW3coHtl1a4LQ==,type:str]
nextpass: ENC[AES256_GCM,data:0lqmtGeffL0=,iv:FpPtZVs0Tiu89FTQ1LJUHj+x1J3vQceETsJo3aw9Rq0=,tag:1RvnPH1+ZWcsAH2D3BO7nA==,type:str]
sync_thinix_id: null
gull-pg-pass: ENC[AES256_GCM,data:zDDo3c4zs1EcGpBlAW/u,iv:2605kZzsx8j+pyZujq0qiHTead4hxYCwl9AhRx+L+FQ=,tag:pcLt5hjycGtiio7UE/Zzuw==,type:str]
#ENC[AES256_GCM,data:2VpuKSNRHRnNO5TA,iv:mTnXBL4q2h/mjwky5GN+772F7yG2o/L6UV051M5EnQY=,tag:YIhd3xWMVMIsprbAHZDewA==,type:comment]
davurl: ENC[AES256_GCM,data:lutWFhf3BzSGodIAi56yGwpzCoj5DA==,iv:/+woUlolqgsefNq5YA3exodp4CM24CBP2MIPbLcVodk=,tag:3NXrHtWCyy/mDmMCpaboAA==,type:str]
jondav: ENC[AES256_GCM,data:YrK3O6A=,iv:UN7jfsqGWSuQi2CahbAISQmJnLFb2YaCKvhPGYniBiY=,tag:UF8JGYww/97q7K9DA5OH9g==,type:str]
jondavpass: ENC[AES256_GCM,data:+ZZYUhCiId7VXLw=,iv:Vte1+asf07oiBaKbJc8lM5slM4Icds+MnqHyMEXgjbk=,tag:Ujfeig7Govj6S2AesmH1OQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1a2kpues0gayampkn9pn2czhk24r0yl4jnw84qg4gh5l72dflx95qkmyqzv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncWNwT2F1ZkxhY3h4UFFs
U2lpM3lXdVZqNDFiSTRTaDI4UFFDRk1QNUUwCnpvdjAzNFQ0dnJ5Wm52b1hBUUFL
dzdHb0RwbU02Y3FzMkM2eFNPUzg2UGMKLS0tIDZrdXc1RFc5NUJNb0ZhclNuYUNX
dmFEc1hrR3czZTBzU2pLQ0ZUL3VPblEKRwy03xI+qiTMJsmG/pe/3WoB8c+vLtXo
kaYY18r3tICKfxQQyDWh3Gevo2+CGhblCcgJ3AnyWQBqIZwIudDuHw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-12T20:35:04Z"
mac: ENC[AES256_GCM,data:VsJS7ZrUdOKiRxH/J2JvMM2XXG/7I1YJJt6TFtomrkTCAg91jiBPKpSFwjV27ix8iizWUqGM06xnGkutl8Ed8Uo4VZKX+YcKfYr8h22tTNiFkVg+LGriY/VhPXl+Oe3CAfCBz3EZcuL1khXx/dsk0XMGyKEXID1IoYLO+Cmp4GM=,iv:WGe9Q7Hf7FSscl8PbYPtuhjOADcIpTPCuFG8fuEQCQ8=,tag:/e6Sym8SdYjfzlztzMhU9g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

23
users/admin/home.nix Normal file
View File

@@ -0,0 +1,23 @@
# Only config stuff you cannot config with dotfiles
# Or stuff that does not interfere with the dotfiles
{ config, pkgs, inputs, ... }:
{
imports = [
# Load all the to be installed packages
# inputs.xremap-flake.homeManagerModules.default
];
home = {
username = "admin";
homeDirectory = "/home/admin";
sessionVariables = {
EDITOR = "nvim";
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.stateVersion = "24.11";
}

25
users/guest/home.nix Normal file
View File

@@ -0,0 +1,25 @@
# Only config stuff you cannot config with dotfiles
# Or stuff that does not interfere with the dotfiles
{ config, pkgs, inputs, ... }:
{
imports = [
# Load all the to be installed packages
# inputs.xremap-flake.homeManagerModules.default
];
home = {
username = "guest";
homeDirectory = "/home/guest";
sessionVariables = {
EDITOR = "nvim";
STATUS_USER = "guest";
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.stateVersion = "24.11";
}

24
users/horst/home.nix Normal file
View File

@@ -0,0 +1,24 @@
# Only config stuff you cannot config with dotfiles
# Or stuff that does not interfere with the dotfiles
{ config, pkgs, inputs, ... }:
{
imports = [
# Load all the to be installed packages
# inputs.xremap-flake.homeManagerModules.default
];
home = {
username = "horst";
homeDirectory = "/home/horst";
sessionVariables = {
EDITOR = "nvim";
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.stateVersion = "24.11";
}

BIN
users/jonas/backg.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.9 MiB

137
users/jonas/home.nix Normal file
View File

@@ -0,0 +1,137 @@
# Only config stuff you cannot config with dotfilesho
# Or stuff that does not interfere with the dotfiles
{ config, pkgs, inputs, ... }:
{
imports = [
# Load all the to be installed packages
./packages.nix
# inputs.xremap-flake.homeManagerModules.default
# inputs.stylix.homeManagerModules.stylix
];
# This is very build intense
# wayland.windowManager.hyprland = {
# enable = true;
# plugins = [
# inputs.hyprland-plugins.packages.${pkgs.system}.hyprexpo
# ];
# };
services.gnome-keyring.enable = true;
home.packages = [ pkgs.gcr ]; # Provides org.gnome.keyring.SystemPrompter
# change the defaults because I can!
xdg.mimeApps = {
enable = true;
defaultApplications = {
# Set for web-related content
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
"application/pdf" = "sioyek.desktop";
"application/rnote" = "rnote.desktop";
"video/mp4" = "mpv.desktop";
"image/*" = "fehcustom.desktop";
};
};
# custom feh
xdg.desktopEntries.fehcustom = {
name = "FehCustom";
terminal = false;
exec = "${pkgs.feh}/bin/feh -d --keep-zoom-vp --draw-exif --start-at %u";
};
# xdg.desktopEntries.flowblade = {
# name = "Flowblade";
# terminal = false;
# exec = "${pkgs.flowblade}/bin/flowblade";
# };
home = {
username = "jonas";
homeDirectory = "/home/jonas";
sessionVariables = {
EDITOR = "nvim";
HTTP_HOME = "duckduckgo.com";
MANPAGER="nvim +Man!";
};
shellAliases = {
testt = "echo 'test'";
flk = "sudo nixos-rebuild switch --flake '~/configuration/nixos#'";
};
pointerCursor = {
gtk.enable = true;
name = "catppuccin-frappe-rosewater-cursors";
package = pkgs.catppuccin-cursors.frappeRosewater;
#hyprcursor.enable = true;
#hyprcursor.size = 16;
size = 18;
};
};
# stylix.enable = true;
# stylix.image = ./backg.jpg;
# Theming gtk
gtk = {
enable = true;
iconTheme = {
package = pkgs.papirus-icon-theme;
name = "Papirus-Dark";
};
theme = {
name = "Adwaita-dark";
package = pkgs.gnome-themes-extra;
};
};
# Qt6 Configuration Tool (qt6ct) configuration
qt = {
enable = true;
platformTheme.name = "qtct";
style.name = "Kvantum";
};
xdg.configFile."Kvantum/kvantum.kvconfig".source = (pkgs.formats.ini { }).generate "kvantum.kvconfig" {
General.theme = "Catppuccin-Frappe-Rosewater";
};
xdg.configFile."qt6ct/qt6ct.conf".source = pkgs.writeTextFile {
name = "qt6ct.conf";
text = ''
[Appearance]
color_scheme_path=${pkgs.qt6ct}/share/qt6ct/colors/airy.conf
custom_palette=false
icon_theme=Papirus-Dark
standard_dialogs=default
style=kvantum
'';
};
# starship - an customizable prompt for any shell
programs.starship = {
enable = true;
settings = {
add_newline = false;
aws.disabled = true;
gcloud.disabled = true;
line_break.disabled = true;
sudo = {
disabled = false;
symbol = "SUDO ";
style = "bold red";
};
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.stateVersion = "24.11";
}

126
users/jonas/home_lite.nix Normal file
View File

@@ -0,0 +1,126 @@
# Only config stuff you cannot config with dotfilesho
# Or stuff that does not interfere with the dotfiles
{ config, pkgs, inputs, ... }:
{
imports = [
# Load all the to be installed packages
./packages.nix
# inputs.xremap-flake.homeManagerModules.default
# inputs.stylix.homeManagerModules.stylix
];
# This is very build intense
# wayland.windowManager.hyprland = {
# enable = true;
# plugins = [
# inputs.hyprland-plugins.packages.${pkgs.system}.hyprexpo
# ];
# };
# change the defaults because I can!
xdg.mimeApps = {
enable = true;
defaultApplications = {
# Set for web-related content
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
"application/pdf" = "sioyek.desktop";
"video/mp4" = "mpv.desktop";
"image/*" = "fehcustom.desktop";
};
};
# custom feh
xdg.desktopEntries.fehcustom = {
name = "FehCustom";
terminal = false;
exec = "${pkgs.feh}/bin/feh -d --keep-zoom-vp --draw-exif --start-at %u";
};
home = {
username = "jonas";
homeDirectory = "/home/jonas";
sessionVariables = {
EDITOR = "nvim";
HTTP_HOME = "duckduckgo.com";
MANPAGER="nvim +Man!";
};
shellAliases = {
testt = "echo 'test'";
flk = "sudo nixos-rebuild switch --flake '~/configuration/nixos#'";
};
pointerCursor = {
gtk.enable = true;
name = "catppuccin-frappe-rosewater-cursors";
package = pkgs.catppuccin-cursors.frappeRosewater;
size = 18;
};
};
# stylix.enable = true;
# stylix.image = ./backg.jpg;
# Theming gtk
gtk = {
enable = true;
iconTheme = {
package = pkgs.papirus-icon-theme;
name = "Papirus-Dark";
};
theme = {
name = "Adwaita-dark";
package = pkgs.gnome-themes-extra;
};
};
# Qt6 Configuration Tool (qt6ct) configuration
qt = {
enable = true;
platformTheme.name = "qtct";
style.name = "Kvantum";
};
xdg.configFile."Kvantum/kvantum.kvconfig".source = (pkgs.formats.ini { }).generate "kvantum.kvconfig" {
General.theme = "Catppuccin-Frappe-Rosewater";
};
xdg.configFile."qt6ct/qt6ct.conf".source = pkgs.writeTextFile {
name = "qt6ct.conf";
text = ''
[Appearance]
color_scheme_path=${pkgs.qt6ct}/share/qt6ct/colors/airy.conf
custom_palette=false
icon_theme=Papirus-Dark
standard_dialogs=default
style=kvantum
'';
};
# starship - an customizable prompt for any shell
programs.starship = {
enable = true;
settings = {
add_newline = false;
aws.disabled = true;
gcloud.disabled = true;
line_break.disabled = true;
sudo = {
disabled = false;
symbol = "SUDO ";
style = "bold red";
};
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.stateVersion = "24.11";
}

227
users/jonas/packages.nix Normal file
View File

@@ -0,0 +1,227 @@
{ pkgs, ...}:
{
home.packages = with pkgs; [
(catppuccin-kvantum.override {
accent = "rosewater";
variant = "frappe";
})
weechat
just
iamb
wiki-tui
# some helpers and new stuff to try
vscode
mise
direnv
nushell
visidata
vuls
# add scanner
simple-scan
obsidian
rclone
scc
broot
gron
xh
#jujutsu # this is currently insecure
pkgs.unstable.spotify-player
pipewire
mesa
sops
gimp
audio-recorder
cheese
age
kdePackages.konsole
kdePackages.dolphin
git-lfs
# Privacy stuff
tor
torsocks
w3m
timer
castero
qbittorrent
lynx
links2
newsboat
discord
blender
audacity
slack
zoom-us
vlc
thunderbird
steam
obsidian
obs-studio
prismlauncher
inkscape
shotcut
#openshot-qt
#flowblade
papirus-folders
todo-txt-cli
systemctl-tui
acpi
zsh
feh
watson
slides
kdePackages.falkon
epiphany
imagemagick
xdragon
luarocks
lua
gradle
openjdk
chafa
libpulseaudio
pavucontrol
findutils.locate
ethtool
qalculate-qt
wl-clip-persist
btop
fastfetch
zathura
eza
fuzzel
catppuccin-cursors
networkmanagerapplet
gdu
hyprpaper
tokei
fzf
gcc
gnumake
lazygit
nodejs
ripgrep
pkgs.signal-desktop
unison
trash-cli
starship
python3
fd
ttyper
zoxide
vim
tofi
bat
clipse
dunst
killall
libreoffice
perl
pipx
wpgtk
waybar
stow
brightnessctl
anki
pkgs.unstable.typst
dnsmasq
davfs2
mediainfo
powertop
#midori
exiftool
gtk4.dev
curl
sioyek
qt6.qtbase
libpulseaudio
xournalpp
rnote
libinput
libGL
libglvnd
emacs
cargo
hyprshot
hyprpicker
hyprsunset
wl-clipboard
mpv
gitui
keepassxc
kitty
wlsunset
pkgs.unstable.yazi
neovim
htop
alpine
#tree
#pkgs.qt5.full
wget
tmux
zip
xz
unzip
p7zip
jq # A lightweight and flexible command-line JSON processor
yq-go # yaml processor https://github.com/mikefarah/yq
mtr # A network diagnostic tool
iperf3
dnsutils # `dig` + `nslookup`
ldns # replacement of `dig`, it provide the command `drill`
aria2 # A lightweight multi-protocol & multi-source command-line download utility
socat # replacement of openbsd-netcat
nmap # A utility for network discovery and security auditing
ipcalc # it is a calculator for the IPv4/v6 addresses
# misc
cowsay
file
which
gnused
gnutar
gawk
zstd
gnupg
# nix related
# it provides the command `nom` works just like `nix`
# with more details log output
nix-output-monitor
# productivity
hugo # static site generator
glow # markdown previewer in terminal
iotop # io monitoring
iftop # network monitoring
# system call monitoring
strace # system call monitoring
ltrace # library call monitoring
lsof # list open files
# system tools
sysstat
lm_sensors # for `sensors` command
pciutils # lspci
usbutils # lsusb
];
}

86
users/root/home.nix Normal file
View File

@@ -0,0 +1,86 @@
# Only config stuff you cannot config with dotfiles
# Or stuff that does not interfere with the dotfiles
# Changed my mind
# Just do whats fun
{ config, pkgs, inputs, ... }:
{
imports = [
# Load all the to be installed packages
# ./packages.nix
# inputs.xremap-flake.homeManagerModules.default
# inputs.stylix.homeManagerModules.stylix
];
home = {
username = "root";
sessionVariables = {
EDITOR = "nvim";
HTTP_HOME = "duckduckgo.com";
MANPAGER="nvim +Man!";
};
shellAliases = {
testting = "echo 'test'";
};
};
home.packages = with pkgs; [
acpi
zsh
zoxide
btop
yazi
unzip
feh
];
programs.zsh = {
enable = true;
initContent = ''
# Load Starship prompt
eval "$(starship init zsh)"
'';
};
programs.bash = {
enable = true;
bashrcExtra = ''
# Interactive shell check
[[ $- != *i* ]] && return
# Load Starship prompt
if command -v starship >/dev/null 2>&1; then
eval "$(starship init bash)"
fi
# Add any other bash aliases or functions here
alias ll='ls -l'
alias la='ls -A'
'';
profileExtra = ''
# Source the bashrc
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
'';
};
# starship - an customizable prompt for any shell
programs.starship = {
enable = true;
settings = {
add_newline = false;
aws.disabled = true;
gcloud.disabled = true;
line_break.disabled = true;
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.stateVersion = "24.11";
}

24
users/theo/home.nix Normal file
View File

@@ -0,0 +1,24 @@
# Only config stuff you cannot config with dotfiles
# Or stuff that does not interfere with the dotfiles
{ config, pkgs, inputs, ... }:
{
imports = [
# Load all the to be installed packages
# inputs.xremap-flake.homeManagerModules.default
];
home = {
username = "theo";
homeDirectory = "/home/theo";
sessionVariables = {
EDITOR = "nvim";
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.stateVersion = "24.11";
}

37
users/users.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config, lib, pkgs, ... }:
{
# Define a user account. Don't forget to set a password with passwd.
users.defaultUserShell = pkgs.zsh;
# Define groups
users.groups.dummy = {};
users.users = {
jonas = {
isNormalUser = true;
extraGroups = [ "docker" "input" "scanner" "lp" "davfs2" "wheel" "audio" "networkmanager" ];
};
theo = {
isNormalUser = true;
};
horst = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" ];
};
gui = {
isNormalUser = true;
};
shared = {
isNormalUser = true;
};
dummy = {
# Testing what this does
isNormalUser = false;
isSystemUser = true;
# Set this to be safe
group = "dummy";
};
};
}